Imagine, you’re invested with a manager you’ve absolute confidence in having done due diligence on every aspect of their business. All their cyber security policies and protections seem to be in order. And then they’re hacked, causing huge damage to business operations and reputation.
As the story unfolds, it is revealed that their main IT provider has gone out of business, having neglected various critical updates due to constrained resources and financial pressures. What could you have done differently?
This imagined but all too realistic scenario reveals the need for proper due diligence of the supply chain. In this article we’ll look at how to do proper due diligence on the supply chain, including the level of depth and detail you should go into, how you should structure your due diligence investigation of supply chain, risk factors, red flags and more.
Supply Chain Due Diligence Basics
Performing due diligence on a supplier doesn’t differ hugely from the basic operational due diligence you perform on a manager. You’ll still want to look at:
- Culture: What are the values that are lived and breathed by that organization, not just what they put in their marketing brochures.
- Governance: What policies and procedures are in place to safeguard against risk and how well are they known and implemented in reality.
- Reputation: How are they perceived in the industry? How many war stories have their name associated versus positive reviews?
- Security: How do they protect themselves through technology and guard against cyber threats and risks of failures?
- Stability: How stable is the business both financially and in terms of its leadership team?
A Process For Supply Chain Due Diligence
- Develop a due diligence questionnaire with a rounded approach to all the areas outlined above. Make sure your questions are structured in such a way as to invite candid and full answers (open questions, not obviously seeking flaws).
- Make sure you tweak your questions to reflect the nature of the supply chain relationship (so more IT security questions for the IT provider, more trading practices questions for a broker etc.)
- Use your questionnaire responses, your own organization’s risk appetite and the nature of the supplier relationship to structure the next part of your investigation, only digging into areas that are of most concern or present most obvious risk. You’re doing due diligence, not a complete history of every possible aspect of every single supplier.
- Use the same series of red flags and risk factors that you would with due diligence on a manger, so anything that has caused concern either in your research or their responses (blanks or worrying answers).
- Consider whether you need to go into the next tier of the supply chain, those who supply the main suppliers. This will likely be the case if the supplier is critical to the manager’s operations or if their DDQ reveals a significant reliance on a few suppliers, such as that were those suppliers to fail the original supplier business would cease to function.
Due diligence on the supply chain can be a hugely time consuming task, often meeting greater resistance or delay than operational due diligence on the manager (after all, the supplier doesn’t have the financial incentive to provide support that the manager does). With this in mind, you want to develop a robust model of what you must look at and why, so you don’t spend time chasing unnecessary detail but do all you can to avoid ending up in a scenario similar to the one we explored at the start.